Performing actions via devices that establish a secure, private network

ABSTRACT

Embodiments are directed towards, gateway computers and management platform server computers for managing secure communication over a network. Gateway computer may intercept communications from unauthenticated source node computers directed to target node computers. If the unauthenticated node computer provides its credentials in response to a request for credentials from the gateway computer, the credentials and the intercepted communications may be provided to a management platform server for further processing. The management platform server may authenticate the unauthenticated source node computer based on its credentials and the intercepted communication and the management platform server may determine a target gateway computer that corresponds to the target node computer based on content of the intercepted communication. The management platform server may provide configuration information for generating a secure private network connection between the gateway computer and the target gateway computer.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a Utility patent application based on a previouslyfiled U.S. Provisional Patent Application U.S. Ser. No. 62/030,608 filedon Jul. 30, 2014, entitled “PERFORMING ACTIONS VIA DEVICES THATESTABLISH A SECURE, PRIVATE NETWORK,” the benefit of the filing date ofwhich is hereby claimed under 35 U.S.C. §119(e) and which is furtherincorporated by reference in its entirety.

TECHNICAL FIELD

The present invention relates generally to network management, and moreparticularly, but not exclusively, to managing network communication inan industrial networking environment.

BACKGROUND

Industrial equipment, such as manufacturing equipment used to build orassemble products, may be supported by industrial networking and/orcommunications networks. In industrial networks, the operation ofmachines that control industrial processes (e.g., manufacturing,machining, stamping, product packaging, or the like) may be arranged tocommunicate with other machines and/or computers over the industrialnetwork. In some cases, such communication may be related to supervisingand controlling operations of the various industrial machines. Also, theindustrial network may be used for collecting data from the industrialmachines for monitoring a manufacturing or assembly process, monitoringand improving operational efficiency, throughput, quality control, orthe like.

In some cases, the communication/network protocols used in industrialcommunications networks may differ from, or be incompatible with,standard communications protocols used for common business networks. Insome cases this may cause the establishment of connectivityrelationships between the two types of networks challenging. Inaddition, many industrial communication systems were not designed withinformation security in mind, but now require secure connectivity to becompatible with business network security protocols, or to be compliantwith regulatory standards. Thus, it is with respect to these and otherconsiderations that these innovations are made.

BRIEF DESCRIPTION OF THE DRAWINGS

Non-limiting and non-exhaustive embodiments of the present innovationsare described with reference to the following drawings. In the drawings,like reference numerals refer to like parts throughout the variousfigures unless otherwise specified. For a better understanding of thedescribed innovations, reference will be made to the followingDescription of Various Embodiments, which is to be read in associationwith the accompanying drawings, wherein:

FIG. 1 is a block diagram illustrating one embodiment of a suitablenetwork environment for collecting data from a private network;

FIG. 2 is a block diagram illustrating the components of one embodimentof network analysis system in accordance with at least one of thevarious embodiments;

FIG. 3 illustrates an overview flowchart illustrating a method forperforming an action based on data collected from a private network inaccordance with at least one of the various embodiments;

FIG. 4 is a logical diagram illustrating one embodiment of a suitablenetwork environment for two factor authentication of a device on aprivate network in accordance with at least one of the variousembodiments;

FIG. 5 illustrates the logical components of an authentication system inaccordance with at least one of the various embodiments;

FIG. 6 illustrates a flowchart for a process for authenticating a deviceon a private network in accordance with at least one of the variousembodiments;

FIG. 7 illustrates the logical components of a network environment forproviding high availability to devices that access a private network inaccordance with at least one of the various embodiments;

FIG. 8 illustrates the logical components of a high availability systemin accordance with at least one of the various embodiments;

FIG. 9 illustrates a flowchart for a process for providing a device withaccess to a private network in accordance with at least one of thevarious embodiments;

FIG. 10 shows components of one embodiment of an environment in whichembodiments of the invention may be practiced;

FIG. 11 shows one embodiment of a client computer that may be includedin a system in accordance with at least one of the various embodiments;

FIG. 12 shows one embodiment of a network computer, in accordance withat least one of the various embodiments;

FIG. 13 shows a logical architecture of a networked environment inaccordance with at least one of the various embodiments; and

FIG. 14 illustrates an overview flowchart of a process for performingactions via devices that establish a secure private network inaccordance with at least one of the various embodiments.

DESCRIPTION OF VARIOUS EMBODIMENTS

Various embodiments now will be described more fully hereinafter withreference to the accompanying drawings, which form a part hereof, andwhich show, by way of illustration, specific exemplary embodiments bywhich the invention may be practiced. The embodiments may, however, beembodied in many different forms and should not be construed as limitedto the embodiments set forth herein; rather, these embodiments areprovided so that this disclosure will be thorough and complete, and willfully convey the scope of the embodiments to those skilled in the art.Among other things, the various embodiments may be methods, systems,media or devices. Accordingly, the various embodiments may take the formof an entirely hardware embodiment, an entirely software embodiment oran embodiment combining software and hardware aspects. The followingdetailed description is, therefore, not to be taken in a limiting sense.

Throughout the specification and claims, the following terms take themeanings explicitly associated herein, unless the context clearlydictates otherwise. The phrase “in one embodiment” as used herein doesnot necessarily refer to the same embodiment, though it may.Furthermore, the phrase “in another embodiment” as used herein does notnecessarily refer to a different embodiment, although it may. Thus, asdescribed below, various embodiments may be readily combined, withoutdeparting from the scope or spirit of the invention.

In addition, as used herein, the term “or” is an inclusive “or”operator, and is equivalent to the term “and/or,” unless the contextclearly dictates otherwise. The term “based on” is not exclusive andallows for being based on additional factors not described, unless thecontext clearly dictates otherwise. In addition, throughout thespecification, the meaning of “a,” “an,” and “the” include pluralreferences. The meaning of “in” includes “in” and “on.”

For example embodiments, the following terms are also used hereinaccording to the corresponding meaning, unless the context clearlydictates otherwise.

As used herein the terms “mesh network,” “industrial network” refer to anetwork of industrial computer/machines, workstations, client computers,gateway computers, traffic management computers, network monitoringcomputers, or the like. The term mesh network used herein describes boththe typical network topology of a network in an industrial operationenvironment as well as more generally, a networked system used toperform operations in an industrial environment, such as, as factoryfloor, manufacturing complex, oil refinery, or the like. In the interestof clarity such networks (including machines and computers on thenetwork) are referred to as mesh networks even when their topologyand/or configuration is not strictly a “mesh” network and/or partial“mesh” network. In some cases, such networks may be referred to secureprivate networks herein.

As used herein the term “physical network” refers to the actualindustrial communication network that interconnects one or moreindustrial machines/computers. The physical network may be a physicaland/or native network device/components used to connect one or moreindustrial computers and/or industrial devices (machine) in afactory/industrial complex. Physical networks include networkinterfaces, wire, wireless hotspots, switches, routers, repeaters, orthe like, that comprise the physical network Also, physical networks maybe considered to include the native communication protocols, networktopology, and so on, that may be used to setup a mesh network in anindustrial environment. In some cases, physical networks may be arrangedto enable open communication between node computers, (e.g., machines,workstations, and so on), gateway computer, or the like, that are on thephysical network.

As used herein the terms “node,” and “node computer” refer to computersthat are endpoint computers interconnected over a physical network. Nodecomputers may include client computers, network computers, industrialworkstations, press machines, robots, packaging machines, automatedmilling machines, automated printing presses, pumps, valves, boilers, orthe like. Node computers are considered to be computer/device connectedto the physical network exclusive of gateway computers, networkmonitoring computer, and traffic management computers.

As used herein the terms “source node,” and “source node computer” referto a node computer that is the originating endpoint of a networkcommunication.

As used herein the terms “target node,” and “target node computer” referto a node computer that is the ultimate intended destination of acommunication. In some embodiments, a source node computer may becommunicating to one or more other node computers over anindustrial/mesh network. These intended recipients of thesecommunication may be considered target node computers. Accordingly, anode computer may be a target node computer if it receivescommunications and it may be a source node computer if it sendscommunications.

As used herein the terms “gateway,” “gateway computer, “industrialsecurity computer,” and “industrial security appliance” refer tocomputers connected to an industrial network that are disposed betweenthe node computers and the physical network. Gateway computers may benetwork computers that may be arranged to provide security, accesscontrol, communication routing, or the like, for the mesh network. Insome embodiments, gateway computer may be configured by another networkcomputer, such as, a management platform server computer.

As used herein the terms “target gateway,” and “target gateway computer”refer to one or more gateway computers that are disposed between thetarget node computers that may be the intended recipients of acommunication in a mesh network.

As used herein the term “management platform computer,” “managementplatform server computer” refer to one or more network computers thatmay be arranged to provide administrative and/or configuration servicesto one or more computer, such as, gateway computers, that may be in amesh network.

As used herein the terms “network path,” and “path” refer to aparticular route between one or more endpoints through a physicalnetwork. A network path for given communication may be determined and/orenforced by a gateway computer. In some cases, network paths may bedefined statically, in other cases, network paths may be determineddynamically.

As used herein the term “capability characteristics” refer to thecapabilities of equipment coupled to one or more node computers on thesecure private network and/or the node computer themselves. Capabilitycharacteristics may include, types of fasteners, nails, staples, glue,and so on, available at the equipment (e.g., industrial robot) Also,other capability characteristics may include, speed/cycle-rate, size,capacity, physical location, temperature, maintenance history,engineering tolerances, or the like, or combination thereof. Further,capability characteristics may include, energy consumption, voltagemin/max, current min/max, or the like.

The following briefly describes embodiments of the invention in order toprovide a basic understanding of some aspects of the invention. Thisbrief description is not intended as an extensive overview. It is notintended to identify key or critical elements, or to delineate orotherwise narrow the scope. Its purpose is merely to present someconcepts in a simplified form as a prelude to the more detaileddescription that is presented later.

Briefly stated, various embodiments are directed to collecting data, andperforming actions associated with the collected data, from a private orsecure network, are described. For example, the systems and methods mayenable the collection of data from a large-scale, industrial securenetwork, such as a secure network that is established and controlled bya management component and multiple security appliances, managementplatform computers, industrial security computer, and industrialsecurity appliances (ISA) that may couple one or more nodes and/ordevices to a private secure network, industrial network, mesh network,or the like. In at least one of the various embodiments, one or moregateway computers, management platform server computers (e.g., SCMPs)may be arranged for managing secure communication over a network. In atleast one of the various embodiments, the gateway computer may interceptcommunications from unauthenticated source node computers directed toone or more target node computers.

In at least one of the various embodiments, the gateway computer maygenerate instructions for a user-interface that enables a user to enterthe credentials and provide the instructions to the unauthenticatedsource node computer. In at least one of the various embodiments,communication originating outside the network may be intercepted.Accordingly, in at least one of the various embodiments, the gatewaycomputer may generate the requests for credentials based on one or moretypes of each intercepted communication.

In at least one of the various embodiments, if the unauthenticated nodecomputer provides its credentials in response to a request forcredentials from the gateway computer, the credentials and theintercepted communications may be provided to a management platformserver for further processing.

In at least one of the various embodiments, the management platformserver may authenticate the unauthenticated source node computer basedon its credentials and the intercepted communication. Also, in at leastone of the various embodiments, the management platform server maydetermine a target gateway computer that corresponds to the target nodecomputer based on content of the intercepted communication. In at leastone of the various embodiments, determining the target gateway computer,may further include determining the target gateway computer based on oneor more rule-based policies.

Further, in at least one of the various embodiments, the managementplatform server may provide configuration information for generating asecure private network connection between the gateway computer and thetarget gateway computer. In at least one of the various embodiments, theconfiguration information for generating the secure private networkconnection may further include routing tables, firewall information, orthe like, that enables the gateway computer to access the secure privateconnection and communicate with the target gateway computer.

Also, in at least one of the various embodiments, the configurationinformation for the secure private network connection may be generatedbased on one or more characteristics of the secure private networkcharacteristics, including, current performance of the secure privatenetwork, expected performance of the secure private network, performanceof node computers on the secure private network, performance andcapabilities of equipment coupled to one or more node computers on thesecure private network, or the like, or combination thereof.

Accordingly, in at least one of the various embodiments, the gatewaycomputer may establish a secure private network connection to the targetgateway computer based on the configuration information. Enabling, in atleast one of the various embodiments, the gateway computer to securelysend the intercepted communications to the target gateway computer overthe secure private network connection such that the target gatewaycomputer securely provides the intercepted communication to the targetnode computer.

In at least one of the various embodiments, the management platformserver may pair the gateway computer with one or more other gatewaycomputers. In at least one of the various embodiments, the managementplatform server may generate a unique identifier for the gatewaycomputer and a separate unique identifier for each of the other gatewaycomputers. In at least one of the various embodiments, the managementplatform server may generate a single shared identifier and associatingit with the gateway computer and the one or more other gatewaycomputers. In at least one of the various embodiments, the managementplatform server may modify the configuration information for the secureprivate network connection based on the unique identifier for thegateway computer and the separate unique identifiers for each of theother gateway computers. Accordingly, in at least one of the variousembodiments, if the gateway computer fails, one of the one or more othergateway computers to replace operation of the gateway computer may bedetermined based on at least the shared identifier.

Examples of Collecting Data from a Secure, Private, Network

FIG. 1 illustrates a suitable network environment 100 for collectingdata from a private network. In at least one of the various embodiments,the computers, machines, databases, or devices shown in FIG. 1 and otherFigures described herein may be implemented in a client computer (See,FIG. 11) or a network computer (See, FIG. 12) that is modified bysoftware and/or hardware to be a special-purpose computer to perform thefunctions described herein for that machine, database, or device.Moreover, any two or more of the computers, machines, databases, ordevices illustrated in FIG. 1 may be combined into a single machine, andthe functions described herein for any single machine, database, ordevice may be subdivided among multiple machines, databases, or devices.

As described herein, network environment 100 may include various devicesthat communicate with one another over a secure private network, such assecure private network 130, established by central management component120 that manages and/or controls various security appliances 115 (e.g.,industrial security appliances, or ISAs) that facilitate the access ofthe secure, private network by the devices. For example, the devices mayinclude personal computers (PC) 110, such as mobile devices, laptops,and other user devices, programmable logic controllers (PLC) associatedwith electromechanical systems and devices (e.g., machine tools,utilities, and so on), such as PLC 116 that connects to ISA 115 viaswitch 117, developer devices (DEV) 112, historian devices 118, and soon.

In some embodiments, the management component may be a physical and/orvirtual component that establishes secure private network 130 anddelegates management of network 130 to users, defines automation devices(PLC 116) behind ISAs 115, configures the communication securitypolicies for ISAs 115 and well as the various devices, such as, PC 110,DEV 112, PLC 116, or the like, and monitors secure private network 130,and so on. As an example, in at least one of the various embodiments,configuration includes management component 120 and two ISAs 115, whichconnect devices to network 130. The secure, private network may employnetwork whitelisting allowing only the communications specified in thewhitelist to be communicate over network 130. For example, in at leastone of the various embodiments, each ISA 115 may have a uniquecryptographic identity and the collection of ISA identities mayestablish network 130. In at least one of the various embodiments, ifISAs 115 determine the peer ISAs they are allowed to communicate with,the ISAs may stablish point-to-point secure (VPN) tunnels to oneanother. In at least one of the various embodiments, network devices110, 112, 116 behind each ISA 115 may communicate with one another as ifthey are connected to each other on a local switch, yet theircommunications may be secured over an untrusted shared network.Additionally, in at least one of the various embodiments, ISAs 115 mayenforce the user-defined communications security policies as defined inthe management component 120 (e.g., management platform servercomputer), to further manage network device connectivity.

In some embodiments, ISA 115 may include data collection device 155 thatmay be arranged to collect data, such as network performance or trafficdata, from network 130. In at least one of the various embodiments, datacollection device 155 may be supported or contained by the ISA 115,which may establish a point-to-point VPN tunnel with other ISAs 115,and/or management component 120 that may enable data collection device155 to collect data from the ISAs, management component 120, and so on.By providing data collection device 155 with access to ISA 115 (or,other security appliances), various types of network data may becollected from network 130 without utilizing other additional hardwareor devices.

Thus, in at least one of the various embodiments, one or more of theISAs may include a security component or device configured to connect adevice or utility to a secure private network via a secure communicationpath established between the device or utility and another device orutility of the secure, private network and a data collection component(e.g., data collection device 155) configured to collect data associatedwith the secure private network via the established secure communicationpath.

For example, in at least one of the various embodiments, data collectiondevice 155 may access or monitor communication traffic within the secureprivate network via ISA 115, and collect data or other informationassociated with the communication traffic. Example data or otherinformation that may be collected includes network performance data(e.g., bandwidth, dropped packets, exception reporting), automation data(e.g., OPC, DNP3, Modlous), Quality of Service (QoS) characteristics, orthe like.

In some embodiments, network analysis system 150 may receive thecollected data, analyze the data, perform actions based on the analysisof the data, or the like. The network analysis may access datacollection device 155 and/or the secure private network 130 directlyand/or via unsecured network 140.

In at least one of the various embodiments, network analysis system 150may perform various actions based on the data collected by datacollection device 155, such as actions that render or visualize theperformance of the network, actions that modify the operations of thenetwork (e.g., dynamic adjustments to traffic on the network), and soon.

Accordingly, in at least one of the various embodiments, the systems andmethods described herein may facilitate the collection of data from thesecure private network 130 via a data collection device, such as, datacollection device 155 that may be associated with ISA 115 (e.g.,authenticated on the network 130) and may establish secure communicationtunnels with other devices and/or components on network 130, and performactions associated with network 130 based on algorithms or otherprocesses performed by network analysis system 150, which is notauthenticated on the network 130.

FIG. 2 is a block diagram illustrating the components of a networkanalysis system in accordance with at least one of the variousembodiments. In at least one of the various embodiments, networkanalysis system 150 may include one or more modules and/or components toperform one or more operations of network analysis system 150. Themodules may be hardware, software, or a combination of hardware andsoftware, and may be executed by one or more processors. For example,network analysis system 150 may include data collection module 210,network determination module 220, action module 230, or the like.

In some embodiments, data collection module 210 may be arranged tocollect data from the secure, private network via a data collectiondevice within an industrial security appliance. For example, datacollection module 210 may access, receive, retrieve, or otherwisecollect data from data collection device 155 of one or more ISAs 115that may assist in generating and maintaining secure private network130. Example data or other information that may be collected includesnetwork performance data (e.g., bandwidth, dropped packets, exceptionreporting), automation data (e.g., OPC, DNP3, Modulus), Quality ofService (QoS) characteristics, and so on.

In at least one of the various embodiments, data collection device 155may be part of an established a point-to-point virtual private networkbetween industrial security appliance 115 and management component 120that manages operations of the secure, private, network, and collectdata from management component 120 via the established point-to-pointvirtual private network and/or from historian device 118 via theestablished point-to-point virtual private network.

In some embodiments, network determination module 220 may be arranged todetermine network characteristics based on an analysis of the collecteddata. For example, network determination module 220 may analyze the datacollected at ISAs 115 of network 130 and identify or determine a currentperformance of the network, such as an expected performance, an abnormalperformance, performance of running processes, performance of machinetools, utilities, nodes, connected to the network, capabilities ofmachine tools, utilities, nodes, or the like.

In some embodiments, action module 230 is arranged to perform an actionbased on the determined network characteristics. For example, actionmodule 230 may perform an action to render a visual display that depictsthe current performance of the secure, private network, modify trafficoperations within the secure, private network, send an alert or othermessage in response to an intrusion within the secure, private network,update or modify running processes with the network, and so on.

In at least one of the various embodiments, network analysis system 150may perform various processes or operations if collecting data fromsecure private network 130 and performing actions in response to thecollected data. FIG. 3 is a flow diagram illustrating process 300 forperforming an action based on data collected from a private network.Process 300 may be performed by network analysis system 150 and,accordingly, is described herein merely by way of reference thereto. Atblock 310, network analysis system 150 may collect data from the secure,private network via data collection device 155 within industrialsecurity appliance 115. At block 320, network analysis system 150 maydetermine network characteristics based on an analysis of the collecteddata. At block 330, network analysis system 150 performs an action basedon the determined network characteristics.

Authenticating Devices to a Secure Private Network

FIG. 4 is a block diagram illustrating network environment 400 fortwo-factor authentication of a device on a private network, such assecure private network 130 in accordance with at least one of thevarious embodiments. Network environment 400 includes a first device,PLC 415, connected to private network 130 via first ISA 410, and asecond device, PC 425, connected to network 130 via second ISA 420, thatincludes, supports, contains, or may be associated with authenticationsystem 450 that may be configured to perform operations to authenticatedevices with network 130. As described herein, ISA 410, ISA 420, andSCMP 120 establish secure private network 130.

FIG. 5 illustrates the logical components of authentication system 450in accordance with at least one of the various embodiment. In at leastone of the various embodiments, authentication system 150 may includeone or more modules and/or components to perform one or more operationsof authentication system 450. The modules may be hardware, software, ora combination of hardware and software, and may be executed by one ormore processors. For example, authentication system 450 include requestintercept module 510, web interface module 520, authentication module530, or the like.

In some embodiments, request intercept module 510 may be arranged tointercept, at an industrial security appliance, a TCP request or othernetwork communication that requests to connect to secure private network130 from a requesting device associated with the industrial securityappliance. For example, request intercept module 510 may intercept arequest provided by PC 425 at second ISA, ISA 420.

In some embodiments, web interface module 520 may be arranged topresent, via the industrial security appliance, an application forobtaining authentication credentials from a user. In at least one of thevarious embodiments, web interface module 520 may generate a webinterface and provide it to the requesting device. In some embodiments,the web interface may be employed to collect authentication credentialsfrom the requesting device. For example, web interface module 520 maypresent an interface to PC 425 and receive certain credentials (e.g., ausername, password, passphrase, or the like), via the interface.

In at least one of the various embodiments, web interface module 520 maybe arranged to provide one or more APIs, such as, a REST API, or thelike, that enables applications to be arranged to communicate and/orperform transactions to obtain/establish authentication credentials. Insome embodiments, one or more applications executing on PC 425 may bearranged to communicate using an API provided by web interface model 520rather than being limited to providing a web interface (e.g., web page.)

In some embodiments, authentication module 530 may be arranged to sendor transmit a network communication, such as a TCP request, thatincludes the authentication credentials to a management component of thesecure private network, and establishes, or causes establishment of, apoint-to-point virtual private network between the industrial securityappliance associated with the requesting device and another industrialsecurity appliance associated with another device on the secure privatenetwork. For example, a source node may attempt to communicate with atarget node over the secure private network. Accordingly, in at leastone of the various embodiments, a ISA communicatively coupled to thesource node may act as the source node's gateway computer that providesaccess to the secure private network. Likewise, the ISA coupled to thetarget node may act as the target node's gateway computer. As describedabove, if the authentication credentials are validated, the managementplatform may establish a point-to-point network path between the sourcenode's gateway computer and the target node's gateway computer.

FIG. 6 illustrates a flowchart for process 600 for authenticating adevice or node computer on a private network in accordance with at leastone of the various embodiments. Process 600 may be performed byauthentication system 450 and, accordingly, is described herein merelyby way of reference thereto. In at least one of the various embodiments,authenticating a device or node computer may include the use of publickey infrastructure that may be used to exchange keys, private securecertificates, user credentials, and/or other cryptographic information.

At block 610, in at least one of the various embodiments, authenticationsystem 450 may intercept, at an industrial security appliance, a networkcommunication, such as, a TCP request, to connect to a secure privatenetwork from a requesting device associated with the industrial securityappliance. In at least one of the various embodiments, the request maybe communication request from a source node directed to a target node,each of which may be coupled with one or more ISAs or gateway computers.

In at least one of the various embodiments, authentication system 450may be arranged to capture all network communication from outside thesecure network. In at least one of the various embodiments,authentication system 450 may generate a response based on the type ofnetwork communication. In some cases, network communications may bediscarded in other cases, network communications may causeauthentication module 450 to initiate an authentication transaction, Inat least one of the various embodiments, the particular response may bedetermined based on configuration information that may include one ormore rule-based policies. In at least one of the various embodiments,such rule-based policies may be encoded in hardware, software, scripts,or the like, or combination thereof.

At block 620, in at least one of the various embodiments, authenticationsystem 450 may provide, via the industrial security appliance (e.g.,gateway computer) a web interface to the requesting device (e.g., sourcenode). In at least one of the various embodiments, authentication module450 may be arranged to respond to incoming HTTP requests. In at leastone of the various embodiments, if the incoming HTTP communication isprovided from an unauthenticated source, authentication model 450 maygenerate and respond with a HTML page that may provide a user interfaceto enable users to provide authentication information (e.g.,credentials). For example, in at least one of the various embodiments,the authentication system may generate a response that includes HTMLcontent for displaying a user login interface on the source node thatinitiated the request.

In at least one of the various embodiments, applications executing on anexternal computer, such as PC 425, may be arranged to communicate withthe ISA, gateway computer, target node, or private network, using otherAPIs or methods, such as, HTTP based REST APIs, TCP/IP ports,USB/Serial, Bluetooth, or the like, or combination thereof. Inadditional to common network protocols, such as, HTTP, HTTPS, RTSP, orthe like, ISAs or gateway computer may be arranged to support variousprotocols that may be operative in an industrial environment, such as,Ethernet/IP, Common Industrial Protocol (CIP), Modbus, C-Bus, or thelike, or combination thereof.

At block 630, in at least one of the various embodiments, authenticationsystem 450 may receive, via the presented web interface, authenticationcredentials from the requesting device. In at least one of the variousembodiments, applications running on computers outside of the securenetwork may be arranged to provide authentication credentials usingother APIs that may be provided by authentication system 450. In someembodiments, one or more transactions between the user and theauthentication system may be used to obtain the authenticationcredentials. Also, in at least one of the various embodiments,two-factor authentication may also be used.

At block 640, in at least one of the various embodiments, authenticationsystem 450 may provide the network communication (e.g., the TCP requestand the authentication credentials) to a management component of thesecure private network, such as a management platform server. In atleast one of the various embodiments, authentication system 450 maycollect the authentication credentials provided by the sourcenode/external computer (e.g., PC 425) and communicate them to SCMP 120to validate the provided credentials and to determine the access rightsto the secure network that may be associated with the credentials, ifany.

At block 650, authentication system 450 may establish a point-to-pointvirtual private network between the industrial security appliance (orsource gateway computer) associated with the requesting device (thesource computer) and another industrial security appliance (the targetgateway computer).

In at least one of the various embodiments, the routing tables, firewallinformation, or the like, for enabling the requesting source nodecomputer to access the private network may be generated by SCMP 120 andcommunicated to authentication system 450. Accordingly, in at least oneof the various embodiments, the policies that may be applied to therequesting source node computer may be established SCMP 120 and providedover the private network to authentication system 450. In someembodiments, ISAs, such as ISA 410 and ISA 420 are unable to establishnetwork policies and/or generate the configuration information that maybe required to provide access to the private network.

In some embodiments, SCMPs, such as, SCMP 120 may be arranged todetermine the network policies and/or access levels that may beestablished for the requesting computer based on the authenticationcredentials provided to an ISA by the requesting computer. Accordingly,in at least one of the various embodiments, SCMPs may provide networkconfiguration to the ISAs that enable to ISAs to enable to therequesting computer to access to the private network. Likewise, in atleast one of the various embodiments, the requesting computer does notaccess the SCMP directly.

In at least one of the various embodiments, the network configurationinformation may be generated based on the topology of the physicalnetwork and/or mesh network that may comprise the secure privatenetwork. In at least one of the various embodiments, the SCMP maydetermine network path through the physical network based on one or morecharacteristics of the network, one or more characteristics of thecommunication/requests from the source node, capabilities of the targetnodes and/or industrial devices coupled with the target nodes, or thelike, or combination thereof.

Next, control may be returned to a calling process.

High Availability in a Secure Private Network

FIG. 7 is a block diagram illustrating network environment 700 forproviding high availability to devices that access a private network inaccordance with at least one of the various embodiments. In at least oneof the various embodiments, network environment 700 may include PC 725that may be securely connected to secure private network 130 via one ofa pair of ISAs, first ISA 720 or second ISA 722, and multiple switches726, and PLC 715 that may be securely connected to the network 130 viathird ISA 710. As described herein, first ISA 720, second ISA 722, thirdISA 710, and the management component 120 establish secure privatenetwork 130. One of ordinary skill in the art will appreciate thatnetwork environment 700 is a non-limiting example. Accordingly, in atleast one of the various embodiments, network environments may have moreor fewer computers and/or devices as shown herein.

In some embodiments, management component 120 (or, one or more of theISAs) may include high availability system 750 that may be configured toprovide high availability access and secure connections within secureprivate network 130.

FIG. 8 illustrates the logical components of high availability system750 in accordance the at least one of the various embodiments. In atleast one of the various embodiments, high availability system 750 mayinclude one or more modules and/or components to perform one or moreoperations of high availability system 750. In at least one of thevarious embodiments, modules may be hardware, software, or a combinationof hardware and software, and may be executed by one or more processors.For example, in at least one of the various embodiments, highavailability system 750 may include pairing module 810, delegationmodule 820, and failure module 830.

In some embodiments, pairing module 810 may be arranged to generate ashared identity between a first industrial security appliance paired asecond industrial security appliance. In at least one of the variousembodiments, the shared identity may be a single cryptographic key,cryptographic hash, cryptographic certificate, or the like, that may bemapped to two or more ISAs or gateway computers. Pairing module 810 mayassociate one or more properties of the ISAs with the shared identity.For example, in at least one of the various embodiments, the sharedidentity may be paired based on one or more features of the ISAs, suchas, the MAC address, or other unique identifier of the ISAs. Further, inat least one of the various embodiments, identity delegation module 820may be arranged to generate a unique cryptographic identity value foreach ISA as well. Accordingly, in this example, first ISA 720 and secondISA 722 may each be associated with a unique identity and the sameshared identity. In at least one of the various embodiments, the sharedidentity enables ISAs, management components, management platformservers, gateway computers, and/or other computers, to determine if twoor more ISAs are paired. Accordingly, in at least one of the variousembodiments, one of the paired ISAs may be substituted for a failedpartner ISA.

In some embodiments, delegation module 820 may be arranged to transferthe shared identity to a third industrial security appliance or gatewaycomputer along with a first unique identity for the first industrialsecurity appliance and a second unique identity for the secondindustrial security appliance, and establish a secure connection betweenthe third industrial security appliance and the first industrialsecurity appliance based on the first unique identity for the firstindustrial security appliance.

In at least one of the various embodiments, the unique identity (e.g.,cryptographic key, cryptographic hash, cryptographic certificate, or thelike) may be employed to establish the identity of the ISA that is beingused to enable the outside computer to communicate with the secureprivate network. Also, in some embodiments, the ISA's unique identitymay be employed to establish secure communications paths in the secureprivate network. For example, a unique identity may be used to validatethat the ISA is enabled to participate in network communication in thesecure private network. Also, in at least one of the variousembodiments, the unique identity may be used as a key or part of a keyused to encrypt communication over the secure connections.

In at least one of the various embodiments, the shared identity may beused for determining one or more ISA pairs rather than used forestablishing secure communications on the secure private network. Forexample, in at least one of the various embodiments, if an ISA fails theshared identifier may be used to determine which ISA should take overfor the failed ISA. Accordingly, in at least one of the variousembodiments, the shared identity may be stored in a data store and/ortable associating it with the unique identities of its paired ISAs.

In some embodiments, failure module 830 may be arranged to determinefailures that may occur at the first industrial security appliance, andestablish a secure connection between the third industrial securityappliance and the second industrial security appliance (the failoverISA) based on the shared identity. For example, in at least one of thevarious embodiments, if an ISA is determined to be offline, or otherwisein a failure state, failure module 830 may determine the shared identitythat is associated with the failed ISA and use it to determine thesurviving paired ISA (if any).

In at least one of the various embodiments, failure module 830 may bearranged to monitor one or more heartbeat communications from the eachISA in the secure private network. Accordingly, in at least one of thevarious embodiments, if a heartbeat message is not received from an ISAwithin a define duration, the failure module may determine that thecorresponding ISA may have failed. Also, in at least one of the variousembodiments, the ISA pairs may be arranged to monitor and exchangeheartbeat messages with each other and send a communication message tofailure module 830 if either of the ISAs determine that its peer mayhave failed.

As described herein, high availability system 750 may perform processesor operations in order to establish secure connections between devices,such as between a device at a single ISA and a device that sharesmultiple ISAs. (See, FIG. 6.) In at least one of the variousembodiments, high availability system 750 may generate networkconfiguration information that establishes secure communication pathsbetween the ISAs, industrial devices, and computers, or the like, thatare within the secure private network.

FIG. 9 illustrates a flowchart for process 900 for providing a device orcomputer with access to a private network in accordance with at leastone of the various embodiments. At block 910, high availability system750 pairs a first ISA with a second ISA, both of which may be associatedwith a single device, computer, and/or node on the network.

At block 920, high availability system 750 may share the pairedidentity, along with unique identities for the ISAs, to a third ISA(such as an ISA associated with another device intended to be securelyconnected to the other device).

In at least one of the various embodiments, SCMP 120, a managementplatform server, and/or high availability system 750 may be arranged todetermine a primary ISA for a given set of paired ISAs. For example,given the shared identity the corresponding peer ISAs may be looked.Likewise, given one of the unique identities, the shared identity may belooked up.

In at least one of the various embodiments, configuration informationprovided by SCMP 120 and/or high availability system 750 forestablishing the secure private network may include information fordetermining which of the paired ISAs is the primary ISA. In someembodiments, the primary ISA may be selected based on configurationinformation that may include rule-based policies for allocating ISAresources. For example, in at least one of the various embodiments, theSCMP 120 may be configured to assign the least utilized ISA of the peerset as the primary ISA for communicating with a third ISA. Accordingly,in at least one of the various embodiments, the unique identitycorresponding to the primary ISA may be used to establish a securecommunication channel (e.g., secure tunnel) between the third ISA.

At decision block 930, in at least one of the various embodiments, inresponse to a failure event at one of the ISAs (e.g., at a primary ISA),the high availability system may determine whether SCMP 120 is onlineand available. If SCMP 120 may be available, high availability system750, control may flow to block 940; otherwise, control may flow to block960.

In at least one of the various embodiments, a SCMP may be a networkcomputer that may be separate from the network computer that may be thehigh availability system. Or, in at least one of the variousembodiments, the management platform may be a separate process orprocesses than the high availability system.

In at least one of the various embodiments, the SCMP may have visibilityto all of the ISAs, gateways computers, nodes, or the like, that are inthe network. Accordingly, if the SCMP is available recovery actionsassociated with an ISA failure may be delegated to the SCMP.

Alternatively, if the SCMP is unavailable, the high availability systemmay be tasked with re-establishing network communication between theaffected nodes.

At block 940, in at least one of the various embodiments, highavailability system 750 publishes the change to the networkconfiguration to the management platform to enable the secondary ISA totake over the responsibilities of the failed primary ISA. In at leastone of the various embodiments, high availability system 750 may employthe shared identity associated with the failed primary ISA to determineto the secondary ISA that may be arranged to take over for the failedprimary ISA.

In at least one of the various embodiments, publishing the notificationthat an ISA has failed enabled the management platform to reconfigurethe secure private network to account for the switch to the secondaryISA that will take over for the failed ISA. In at least one of thevarious embodiments, if necessary the management platform may publishupdated network configuration information to one or more ISAs in thesecure private network.

At block 950, in at least one of the various embodiments, highavailability system 750 establishes a secure connection between thethird ISA and the second ISA enabling secure private communication tocontinue. In at least one of the various embodiments, high availabilitysystem 750 may employ configuration information, if any, that may beprovided by a management platform server.

At block 960, in at least one of the various embodiments, since SCMP120, or other management platform servers, may be unavailable, highavailability system 750 may recreate a secure tunnel between the thirdISA and network 130 rather than just reporting the failure of theprimary ISA to the management platform. Accordingly, in at least one ofthe various embodiments, the high availability system may provideconfiguration information to the third ISA and the secondary ISA toenable a secure network tunnel to be generated. In at least one of thevarious embodiments, high availability system 750 may confirm theidentity of the third ISA and the secondary ISA in part by using theshared identity.

At block 970, in at least one of the various embodiments, highavailability system 750 establishes a secure connection between thethird ISA and the second ISA. Next, control may be returned to a callingprocess.

Illustrated Operating Environment

FIG. 10 shows components of one embodiment of an environment in whichembodiments of the invention may be practiced. Not all of the componentsmay be required to practice the invention, and variations in thearrangement and type of the components may be made without departingfrom the spirit or scope of the invention. As shown, system 1000 of FIG.1 includes local area networks (LANs)/wide area networks(WANs)—(network) 1010, wireless network 1008, client computers1002-1005, Management Platform Server Computer 1016, Industrial SecurityComputer(s) 1018, Operations Computer(s) 1020, or the like.

At least one embodiment of client computers 1002-1005 is described inmore detail below in conjunction with FIG. 11. In one embodiment, atleast some of client computers 1002-1005 may operate over one or morewired and/or wireless networks, such as networks 1008, and/or 1010.Generally, client computers 1002-1005 may include virtually any computercapable of communicating over a network to send and receive information,perform various online activities, offline actions, or the like. In oneembodiment, one or more of client computers 1002-1005 may be configuredto operate within a business or other entity to perform a variety ofservices for the business or other entity. For example, client computers1002-1005 may be configured to operate as a web server, firewall, clientapplication, media player, mobile telephone, game console, desktopcomputer, or the like. However, client computers 1002-1005 are notconstrained to these services and may also be employed, for example, asfor end-user computing in other embodiments. It should be recognizedthat more or less client computers (as shown in FIG. 10) may be includedwithin a system such as described herein, and embodiments are thereforenot constrained by the number or type of client computers employed.

Computers that may operate as client computer 1002 may include computersthat typically connect using a wired or wireless communications mediumsuch as personal computers, multiprocessor systems, microprocessor-basedor programmable electronic devices, network PCs, node computers, or thelike. In some embodiments, client computers 1002-1005 may includevirtually any portable computer capable of connecting to anothercomputer and receiving information such as, laptop computer 1003, mobilecomputer 1004, tablet computers 1005, or the like. However, portablecomputers are not so limited and may also include other portablecomputers such as cellular telephones, display pagers, radio frequency(RF) devices, infrared (IR) devices, Personal Digital Assistants (PDAs),handheld computers, wearable computers, integrated devices combining oneor more of the preceding computers, or the like. As such, clientcomputers 1002-1005 typically range widely in terms of capabilities andfeatures. Moreover, client computers 1002-1005 may access variouscomputing applications, including a browser, or other web-basedapplication.

A web-enabled client computer may include a browser application that isconfigured to receive and to send web pages, web-based messages, and thelike. The browser application may be configured to receive and displaygraphics, text, multimedia, and the like, employing virtually anyweb-based language, including a wireless application protocol messages(WAP), and the like. In one embodiment, the browser application isenabled to employ Handheld Device Markup Language (HDML), WirelessMarkup Language (WML), WMLScript, JavaScript, Standard GeneralizedMarkup Language (SGML), HyperText Markup Language (HTML), eXtensibleMarkup Language (XML), JavaScript Object Notation (JSON), or the like,to display and send a message. In one embodiment, a user of the clientcomputer may employ the browser application to perform variousactivities over a network (online). However, another application mayalso be used to perform various online activities.

Client computers 1002-1005 also may include at least one other clientapplication that is configured to receive and/or send content betweenanother computer. The client application may include a capability tosend and/or receive content, or the like. The client application mayfurther provide information that identifies itself, including a type,capability, name, and the like. In one embodiment, client computers1002-1005 may uniquely identify themselves through any of a variety ofmechanisms, including an Internet Protocol (IP) address, a phone number,Mobile Identification Number (MIN), an electronic serial number (ESN),or other device identifier. Such information may be provided in anetwork packet, or the like, sent between other client computers,management platform server computer 1016, industrial security computers1018, operations computers 1020, or other computers.

Client computers 1002-1005 may further be configured to include a clientapplication that enables an end-user to log into an end-user accountthat may be managed by another computer, such as management platformserver computer 1016, industrial security computers 1018, operationscomputers 1020, or the like. Such an end-user account, in onenon-limiting example, may be configured to enable the end-user to manageone or more online activities, including in one non-limiting example,project management, software development, system administration,configuration management, search activities, social networkingactivities, browse various websites, communicate with other users, orthe like.

Wireless network 1008 is configured to couple client computers 1003-1005and its components with network 1010. Wireless network 1008 may includeany of a variety of wireless sub-networks that may further overlaystand-alone ad-hoc networks, and the like, to provide aninfrastructure-oriented connection for client computers 1003-1005. Suchsub-networks may include mesh networks, Wireless LAN (WLAN) networks,cellular networks, industrial networks, or the like. In one embodiment,the system may include more than one wireless network.

Wireless network 1008 may further include an autonomous system ofterminals, gateways, routers, and the like connected by wireless radiolinks, and the like. These connectors may be configured to move freelyand randomly and organize themselves arbitrarily, such that the topologyof wireless network 1008 may change rapidly.

Wireless network 1008 may further employ a plurality of accesstechnologies including 2nd (2G), 3rd (3G), 4th (4G) 5th (5G) generationradio access for cellular systems, WLAN, Wireless Router (WR) mesh, andthe like. Access technologies such as 2G, 3G, 4G, 5G, and future accessnetworks may enable wide area coverage for mobile computers, such asclient computers 1003-1005 with various degrees of mobility. In onenon-limiting example, wireless network 1008 may enable a radioconnection through a radio network access such as Global System forMobil communication (GSM), General Packet Radio Services (GPRS),Enhanced Data GSM Environment (EDGE), code division multiple access(CDMA), time division multiple access (TDMA), Wideband Code DivisionMultiple Access (WCDMA), High Speed Downlink Packet Access (HSDPA), LongTerm Evolution (LTE), and the like. In essence, wireless network 108 mayinclude virtually any wireless communication mechanism by whichinformation may travel between client computers 1003-1005 and anothercomputer, network, a cloud-based network, a cloud instance, or the like.

Network 1010 is configured to couple network computers with othercomputers, including, management platform server computer 1016,industrial security computer(s) 1018, operations computer(s) 1020,client computers 1002-1005 through wireless network 1008, or the like.Network 1010 is enabled to employ any form of computer readable mediafor communicating information from one electronic device to another.Also, network 1010 can include the Internet in addition to local areanetworks (LANs), wide area networks (WANs), direct connections, such asthrough a universal serial bus (USB) port, other forms ofcomputer-readable media, or any combination thereof. On aninterconnected set of LANs, including those based on differingarchitectures and protocols, a router acts as a link between LANs,enabling messages to be sent from one to another. In addition,communication links within LANs typically include twisted wire pair orcoaxial cable, while communication links between networks may utilizeanalog telephone lines, full or fractional dedicated digital linesincluding T1, T2, T3, and T4, and/or other carrier mechanisms including,for example, E-carriers, Integrated Services Digital Networks (ISDNs),Digital Subscriber Lines (DSLs), wireless links including satellitelinks, or other communications links known to those skilled in the art.Moreover, communication links may further employ any of a variety ofdigital signaling technologies, including without limit, for example,DS-0, DS-1, DS-2, DS-3, DS-4, OC-3, OC-12, OC-48, or the like.Furthermore, remote computers and other related electronic devices couldbe remotely connected to either LANs or WANs via a modem and temporarytelephone link. In one embodiment, network 1010 may be configured totransport information of an Internet Protocol (IP).

Additionally, communication media typically embodies computer readableinstructions, data structures, program modules, or other transportmechanism and includes any information delivery media. By way ofexample, communication media includes wired media such as twisted pair,coaxial cable, fiber optics, wave guides, and other wired media andwireless media such as acoustic, RF, infrared, and other wireless media.

One embodiment of management platform server computer 1016 is describedin more detail below in conjunction with FIG. 12. Briefly, however,management platform server computer 1016 includes virtually any networkcomputer capable of managing a network environment for one or moreapplications or services.

Although FIG. 10 illustrates management platform server computer 1016,industrial security computers 1018, operations computers 1020 each as asingle computer, the innovations and/or embodiments are not so limited.For example, one or more functions of management platform servercomputer 1016, industrial security computers 1018, operations computers1020, or the like, may be distributed across one or more distinctnetwork computers. Moreover, management platform server computer 1016,industrial security computers 1018, operations computers 1020 are notlimited to a particular configuration such as the one shown in FIG. 10.Thus, in one embodiment, management platform server computer 1016,industrial security computers 1018, operations computers 1020 may beimplemented using a plurality of network computers. In otherembodiments, server computer may operate as a plurality of networkcomputers within a cluster architecture, a peer-to-peer architecture, orthe like. Further, in at least one of the various embodiments,management platform server computer 1016, industrial security computers1018, operations computers 1020 may be implemented using one or morecloud instances in one or more cloud networks.

Also, in at least one of the various embodiments, one or more managementplatform server computers, or at least some or all of the featuresthereof, may be incorporated in an industrial security computer, suchas, industrial security computer 1018, or an operation computer, suchas, operations computer 1020. Accordingly, these innovations andembodiments are not to be construed as being limited to a singleenvironment, and other configurations, and architectures are alsoenvisaged.

Illustrative Client Computer

FIG. 11 shows one embodiment of client computer 1100 that may includemany more or less components than those shown. Client computer 1100 mayrepresent, for example, at least one embodiment of mobile computers orclient computers shown in FIG. 10.

Client computer 1100 may include processor 1102 in communication withmemory 1104 via bus 1128. Client computer 1100 may also include powersupply 1130, network interface 1132, audio interface 1156, display 1150,keypad 1152, illuminator 1154, video interface 1142, input/outputinterface 1138, haptic interface 1164, global positioning systems (GPS)receiver 1158, open air gesture interface 1160, sensor interface 1162,camera(s) 1140, projector 1146, pointing device interface 1166,processor-readable stationary storage device 1134, andprocessor-readable removable storage device 1136. Client computer 1100may optionally communicate with a base station (not shown), or directlywith another computer. And in one embodiment, although not shown, agyroscope may be employed within client computer 1100 to measuringand/or maintaining an orientation of client computer 1100.

Power supply 1130 may provide power to client computer 1100. Arechargeable or non-rechargeable battery may be used to provide power.The power may also be provided by an external power source, such as anAC adapter or a powered docking cradle that supplements and/or rechargesthe battery.

Network interface 1132 includes circuitry for coupling client computer1100 to one or more networks, and is constructed for use with one ormore communication protocols and technologies including, but not limitedto, protocols and technologies that implement any portion of the OSImodel for mobile communication (GSM), CDMA, time division multipleaccess (TDMA), UDP, TCP/IP, SMS, MMS, GPRS, WAP, UWB, WiMax, SIP/RTP,GPRS, EDGE, WCDMA, LTE, UMTS, OFDM, CDMA2000, EV-DO, HSDPA, or any of avariety of other wireless communication protocols. Network interface1132 is sometimes known as a transceiver, transceiving device, ornetwork interface card (NIC).

Audio interface 1156 may be arranged to produce and receive audiosignals such as the sound of a human voice. For example, audio interface1156 may be coupled to a speaker and microphone (not shown) to enabletelecommunication with others and/or generate an audio acknowledgementfor some action. A microphone in audio interface 1156 can also be usedfor input to or control of client computer 1100, e.g., using voicerecognition, detecting touch based on sound, and the like.

Display 1150 may be a liquid crystal display (LCD), gas plasma,electronic ink, light emitting diode (LED), Organic LED (OLED) or anyother type of light reflective or light transmissive display that can beused with a computer. Display 1150 may also include a touch interface1144 arranged to receive input from an object such as a stylus or adigit from a human hand, and may use resistive, capacitive, surfaceacoustic wave (SAW), infrared, radar, or other technologies to sensetouch and/or gestures.

Projector 1146 may be a remote handheld projector or an integratedprojector that is capable of projecting an image on a remote wall or anyother reflective object such as a remote screen.

Video interface 1142 may be arranged to capture video images, such as astill photo, a video segment, an infrared video, or the like. Forexample, video interface 1142 may be coupled to a digital video camera,a web-camera, or the like. Video interface 1142 may comprise a lens, animage sensor, and other electronics. Image sensors may include acomplementary metal-oxide-semiconductor (CMOS) integrated circuit,charge-coupled device (CCD), or any other integrated circuit for sensinglight.

Keypad 1152 may comprise any input device arranged to receive input froma user. For example, keypad 1152 may include a push button numeric dial,or a keyboard. Keypad 1152 may also include command buttons that areassociated with selecting and sending images.

Illuminator 1154 may provide a status indication and/or provide light.Illuminator 1154 may remain active for specific periods of time or inresponse to events. For example, when illuminator 1154 is active, it maybacklight the buttons on keypad 1152 and stay on while the clientcomputer is powered. Also, illuminator 1154 may backlight these buttonsin various patterns when particular actions are performed, such asdialing another client computer. Illuminator 1154 may also cause lightsources positioned within a transparent or translucent case of theclient computer to illuminate in response to actions.

Further, client computer 1100 may also comprise hardware security module(HSM) 1168 for providing additional tamper resistant safeguards forgenerating, storing and/or using security/cryptographic information suchas, keys, digital certificates, passwords, passphrases, two-factorauthentication information, or the like. In some embodiments, hardwaresecurity module may be employed to support one or more standard publickey infrastructures (PKI), and may be employed to generate, manage,and/or store keys pairs, or the like. In some embodiments, HSM 1168 maybe a stand-alone computer, in other cases, HSM 1168 may be arranged as ahardware card that may be added to a client computer.

Client computer 1100 may also comprise input/output interface 1138 forcommunicating with external peripheral devices or other computers suchas other client computers and network computers. The peripheral devicesmay include an audio headset, display screen glasses, remote speakersystem, remote speaker and microphone system, and the like. Input/outputinterface 1138 can utilize one or more technologies, such as UniversalSerial Bus (USB), Infrared, WiFi, WiMax, Bluetooth™, and the like.

Client computer 1100 may also include sensors 1162 for determininggeolocation information (e.g., GPS), monitoring electrical powerconditions (e.g., voltage sensors, current sensors, frequency sensors,and so on), monitoring weather (e.g., thermostats, barometers,anemometers, humidity detectors, precipitation scales, or the like), orthe like. Sensors 1162 may be one or more hardware sensors that collectand/or measure data that is external to client computer 1100.

Haptic interface 1164 may be arranged to provide tactile feedback to auser of the client computer. For example, the haptic interface 1164 maybe employed to vibrate client computer 1100 in a particular way whenanother user of a computer is calling. Temperature interface 1162 may beused to provide a temperature measurement input and/or a temperaturechanging output to a user of client computer 1100. Open air gestureinterface 1160 may sense physical gestures of a user of client computer1100, for example, by using single or stereo video cameras, radar, agyroscopic sensor inside a computer held or worn by the user, or thelike. Camera 1140 may be used to track physical eye movements of a userof client computer 1100.

GPS transceiver 1158 can determine the physical coordinates of clientcomputer 1100 on the surface of the Earth, which typically outputs alocation as latitude and longitude values. GPS transceiver 1158 can alsoemploy other geo-positioning mechanisms, including, but not limited to,triangulation, assisted GPS (AGPS), Enhanced Observed Time Difference(E-OTD), Cell Identifier (CI), Service Area Identifier (SAI), EnhancedTiming Advance (ETA), Base Station Subsystem (BSS), or the like, tofurther determine the physical location of client computer 1100 on thesurface of the Earth. It is understood that under different conditions,GPS transceiver 1158 can determine a physical location for clientcomputer 1100. In at least one embodiment, however, client computer 1100may, through other components, provide other information that may beemployed to determine a physical location of the client computer,including for example, a Media Access Control (MAC) address, IP address,and the like.

Human interface components can be peripheral devices that are physicallyseparate from client computer 1100, allowing for remote input and/oroutput to client computer 1100. For example, information routed asdescribed here through human interface components such as display 1150or keyboard 1152 can instead be routed through network interface 1132 toappropriate human interface components located remotely. Examples ofhuman interface peripheral components that may be remote include, butare not limited to, audio devices, pointing devices, keypads, displays,cameras, projectors, and the like. These peripheral components maycommunicate over a Pico Network (piconet) such as Bluetooth™, Zigbee™and the like.

A client computer may include web browser application 1126 that may beconfigured to receive and to send web pages, web-based messages,graphics, text, multimedia, and the like. The client computer's browserapplication may employ virtually any programming language, including awireless application protocol messages (WAP), and the like. In at leastone embodiment, the browser application is enabled to employ HandheldDevice Markup Language (HDML), Wireless Markup Language (WML),WMLScript, JavaScript, Standard Generalized Markup Language (SGML),HyperText Markup Language (HTML), eXtensible Markup Language (XML),HTML5, and the like.

Memory 1104 may include RAM, ROM, and/or other types of memory. Memory1104 illustrates an example of computer-readable storage media (devices)for storage of information such as computer-readable instructions, datastructures, program modules or other data. Memory 1104 may store BIOS1108 for controlling low-level operation of client computer 1100. Thememory may also store operating system 1106 for controlling theoperation of client computer 1100. It will be appreciated that thiscomponent may include a general-purpose operating system such as aversion of UNIX, or LINUX™, or a specialized client computercommunication operating system such as Windows Phone™, or the Symbian®operating system. The operating system may include, or interface with aJava virtual machine module that enables control of hardware componentsand/or operating system operations via Java application programs.

Memory 1104 may further include one or more data storage 1110, which canbe utilized by client computer 1100 to store, among other things,applications 1120 and/or other data. For example, data storage 1110 mayalso be employed to store information that describes variouscapabilities of client computer 1100. The information may then beprovided to another device or computer based on any of a variety ofevents, including being sent as part of a header during a communication,sent upon request, or the like. Data storage 1110 may also be employedto store social networking information including address books, buddylists, aliases, user profile information, or the like. Data storage 1110may further include program code, data, algorithms, and the like, foruse by a processor, such as processor 1102 to execute and performactions. In one embodiment, at least some of data storage 1110 mightalso be stored on another component of client computer 1100, including,but not limited to, non-transitory processor-readable removable storagedevice 1136, processor-readable stationary storage device 1134, or evenexternal to the client computer.

Applications 1120 may include computer executable instructions which,when executed by client computer 1100, transmit, receive, and/orotherwise process instructions and data. Applications 1120 may include,for example, industrial control application 1122. In at least one of thevarious embodiments, overlay industrial control application 1122 may beused to exchange communications to and from management platform servercomputer 1016, industrial security computers 1018, operations servercomputer 1120, ISA, gateway computers, or the like, including, but notlimited to, queries, searches, API calls, or the like.

Other examples of application programs include calendars, searchprograms, email client applications, IM applications, SMS applications,Voice Over Internet Protocol (VOIP) applications, contact managers, taskmanagers, transcoders, database programs, word processing programs,security applications, spreadsheet programs, games, search programs, andso forth.

Additionally, in one or more embodiments (not shown in the figures),client computer 1100 may include an embedded logic hardware deviceinstead of a CPU, such as, an Application Specific Integrated Circuit(ASIC), Field Programmable Gate Array (FPGA), Programmable Array Logic(PAL), or the like, or combination thereof. The embedded logic hardwaredevice may directly execute its embedded logic to perform actions. Also,in one or more embodiments (not shown in the figures), the clientcomputer may include a hardware microcontroller instead of a CPU. In atleast one embodiment, the microcontroller may directly execute its ownembedded logic to perform actions and access its own internal memory andits own external Input and Output Interfaces (e.g., hardware pins and/orwireless transceivers) to perform actions, such as System On a Chip(SOC), or the like.

Illustrative Network Computer

FIG. 12 shows one embodiment of network computer 1200 that may beincluded in a system implementing the invention. Network computer 1200may include many more or less components than those shown in FIG. 12.However, the components shown are sufficient to disclose an illustrativeembodiment for practicing these innovations. Network computer 1200 mayrepresent, for example, one embodiment of at least one of managementplatform server computer 1016, industrial security computer(s) 1018, orindustrial operations computer(s) 1020 of FIG. 10.

As shown in the figure, network computer 1200 includes a processor 1202in communication with a memory 1204 via a bus 1228. Network computer1200 also includes a power supply 1230, network interface 1232, audiointerface 1256, display 1250, keyboard 1252, input/output interface1238, processor-readable stationary storage device 1234, andprocessor-readable removable storage device 1236. Power supply 1230provides power to network computer 1200.

Network interface 1232 includes circuitry for coupling network computer1200 to one or more networks, and is constructed for use with one ormore communication protocols and technologies including, but not limitedto, protocols and technologies that implement any portion of the OpenSystems Interconnection model (OSI model), global system for mobilecommunication (GSM), code division multiple access (CDMA), time divisionmultiple access (TDMA), user datagram protocol (UDP), transmissioncontrol protocol/Internet protocol (TCP/IP), Short Message Service(SMS), Multimedia Messaging Service (MMS), general packet radio service(GPRS), WAP, ultra wide band (UWB), IEEE 802.16 WorldwideInteroperability for Microwave Access (WiMax), Session InitiationProtocol/Real-time Transport Protocol (SIP/RTP), or any of a variety ofother wired and wireless communication protocols. Network interface 1232is sometimes known as a transceiver, transceiving device, or networkinterface card (NIC). Network computer 1200 may optionally communicatewith a base station (not shown), or directly with another computer.

Audio interface 1256 is arranged to produce and receive audio signalssuch as the sound of a human voice. For example, audio interface 1256may be coupled to a speaker and microphone (not shown) to enabletelecommunication with others and/or generate an audio acknowledgementfor some action. A microphone in audio interface 1256 can also be usedfor input to or control of network computer 1200, for example, usingvoice recognition.

Display 1250 may be a liquid crystal display (LCD), gas plasma,electronic ink, light emitting diode (LED), Organic LED (OLED) or anyother type of light reflective or light transmissive display that can beused with a computer. Display 1250 may be a handheld projector or picoprojector capable of projecting an image on a wall or other object.

Network computer 1200 may also comprise input/output interface 1238 forcommunicating with external devices or computers not shown in FIG. 12.Input/output interface 1238 can utilize one or more wired or wirelesscommunication technologies, such as USB™, Firewire™, WiFi, WiMax,Thunderbolt™, Infrared, Bluetooth™, Zigbee™, serial port, parallel port,and the like.

GPS transceiver 1262 can determine the physical coordinates of networkcomputer 1200 on the surface of the Earth, which typically outputs alocation as latitude and longitude values. GPS transceiver 1262 can alsoemploy other geo-positioning mechanisms, including, but not limited to,triangulation, assisted GPS (AGPS), Enhanced Observed Time Difference(E-OTD), Cell Identifier (CI), Service Area Identifier (SAI), EnhancedTiming Advance (ETA), Base Station Subsystem (BSS), or the like, tofurther determine the physical location of network computer 1200 on thesurface of the Earth. It is understood that under different conditions,GPS transceiver 1262 can determine a physical location for networkcomputer 1200. In at least one embodiment, however, network computer1200 may, through other components, provide other information that maybe employed to determine a physical location of the client computer,including for example, a Media Access Control (MAC) address, IP address,and the like.

Human interface components can be physically separate from networkcomputer 1200, allowing for remote input and/or output to networkcomputer 1200. For example, information routed as described here throughhuman interface components such as display 1250 or keyboard 1252 caninstead be routed through the network interface 1232 to appropriatehuman interface components located elsewhere on the network. Humaninterface components include any component that allows the computer totake input from, or send output to, a human user of a computer.Accordingly, pointing devices such as mice, styluses, track balls, orthe like, may communicate through pointing device interface 1258 toreceive user input.

Memory 1204 may include Random Access Memory (RAM), Read-Only Memory(ROM), and/or other types of memory. Memory 1204 illustrates an exampleof computer-readable storage media (devices) for storage of informationsuch as computer-readable instructions, data structures, program modulesor other data. Memory 1204 stores a basic input/output system (BIOS)1208 for controlling low-level operation of network computer 1200. Thememory also stores an operating system 1206 for controlling theoperation of network computer 1200. It will be appreciated that thiscomponent may include a general-purpose operating system such as aversion of UNIX, or LINUX™, or a specialized operating system such asMicrosoft Corporation's Windows® operating system, or the AppleCorporation's IOS® operating system. The operating system may include,or interface with a Java virtual machine module that enables control ofhardware components and/or operating system operations via Javaapplication programs. Likewise, other runtime environments may beincluded.

Memory 1204 may further include one or more data storage 1210, which canbe utilized by network computer 1200 to store, among other things,applications 1220 and/or other data. For example, data storage 1210 mayalso be employed to store information that describes variouscapabilities of network computer 1200. The information may then beprovided to another device or computer based on any of a variety ofevents, including being sent as part of a header during a communication,sent upon request, or the like. Data storage1210 may also be employed tostore social networking information including address books, buddylists, aliases, user profile information, or the like. Data storage 1210may further include program code, data, algorithms, and the like, foruse by a processor, such as processor 1202 to execute and performactions such as those actions described below. In one embodiment, atleast some of data storage 1210 might also be stored on anothercomponent of network computer 1200, including, but not limited to,non-transitory media inside processor-readable removable storage device1236, processor-readable stationary storage device 1234, or any othercomputer-readable storage device within network computer 1200, or evenexternal to network computer 1200. Data storage 1210 may include, forexample, industrial security appliance (ISA) configuration information1212, or the like. ISA configuration information 1212 may containvarious data generated for defining ISA unique identities, ISA sharedidentities as well as, routing information, and one or more policiesassociated with one or more mesh networks, or the like.

Applications 1220 may include computer executable instructions which,when executed by network computer 1200, transmit, receive, and/orotherwise process messages (e.g., SMS, Multimedia Messaging Service(MMS), Instant Message (IM), email, and/or other messages), audio,video, and enable telecommunication with another user of another mobilecomputer. Other examples of application programs include calendars,search programs, email client applications, IM applications, SMSapplications, Voice Over Internet Protocol (VOIP) applications, contactmanagers, task managers, transcoders, database programs, word processingprograms, security applications, spreadsheet programs, games, searchprograms, and so forth. Applications 1220 may include managementplatform application 1224, and/or network routing application 1226 whichmay be enabled to perform actions further described below. In at leastone of the various embodiments, one or more of the applications may beimplemented as modules and/or components of another application.Further, in at least one of the various embodiments, applications may beimplemented as operating system extensions, modules, plugins, or thelike.

Furthermore, in at least one of the various embodiments, managementplatform application 1224, and/or network routing application 1226 maybe operative in a cloud-based computing environment. In at least one ofthe various embodiments, these applications, and others, that comprisethe management platform may be executing within virtual machines and/orvirtual servers that may be managed in a cloud-based based computingenvironment. In at least one of the various embodiments, in this contextthe applications may flow from one physical network computer within thecloud-based environment to another depending on performance and scalingconsiderations automatically managed by the cloud computing environment.Likewise, in at least one of the various embodiments, virtual machinesand/or virtual servers dedicated to management platform application1224, and/or network routing application 1226 may be provisioned andde-commissioned automatically.

Also, in at least one of the various embodiments, management platformapplication 1224, network routing application 1226, or the like, maylocated in virtual servers running in a cloud-based computingenvironment rather than being tied to one or more specific physicalnetwork computers.

Management platform application 1224 may be a process or service that isarranged to communicate with one or more industrial security computers,such as, industrial computers 1018, and/or one or more operationscomputers, such as, operations computers 1020. Further, in at least oneof the various embodiments, management platform application 1224 may bearranged to provide configuration information to one or more ofindustrial computers 1018, or operations computers 1020. Also, in atleast one of the various embodiments, management platform application1224 may be arranged to obtain notifications, logging information,status reports, security alerts, or the like, or combination thereof,from one or more of industrial computers 1018, operations computers1020, ISAs, gateway computer, node computers, or the like.

Further, network computer 1200 may also comprise hardware securitymodule (HSM) 1260 for providing additional tamper resistant safeguardsfor generating, storing and/or using security/cryptographic informationsuch as, keys, digital certificates, passwords, passphrases, two-factorauthentication information, or the like. In some embodiments, hardwaresecurity module may be employ to support one or more standard public keyinfrastructures (PKI), and may be employed to generate, manage, and/orstore keys pairs, or the like. In some embodiments, HSM 1260 may be astand-alone network computer, in other cases, HSM 1260 may be arrangedas a hardware card that may be installed in a network computer.

Network computer 1200 may also include sensors 1264 for determininggeolocation information (e.g., GPS), monitoring electrical powerconditions (e.g., voltage sensors, current sensors, frequency sensors,and so on), monitoring weather (e.g., thermostats, barometers,anemometers, humidity detectors, precipitation scales, or the like), orthe like. Sensors 1264 may be one or more hardware sensors that collectand/or measure data that is external to network computer 1200.

Additionally, in one or more embodiments (not shown in the figures),network computer 1200 may include an embedded logic hardware deviceinstead of a CPU, such as, an Application Specific Integrated Circuit(ASIC), Field Programmable Gate Array (FPGA), Programmable Array Logic(PAL), or the like, or combination thereof. The embedded logic hardwaredevice may directly execute its embedded logic to perform actions. Also,in one or more embodiments (not shown in the figures), network computer1200 may include a hardware microcontroller instead of a CPU. In atleast one embodiment, the microcontroller may directly execute its ownembedded logic to perform actions and access its own internal memory andits own external Input and Output Interfaces (e.g., hardware pins and/orwireless transceivers) to perform actions, such as System On a Chip(SOC), or the like.

It will be understood that each block of the flowchart theillustrations, and combinations of blocks in the flowchartillustrations, can be implemented by computer program instructions.These program instructions may be provided to a processor to produce amachine, such that the instructions, which execute on the processor,create means for implementing the actions specified in the flowchartblock or blocks. The computer program instructions may be executed by aprocessor to cause a series of operational steps to be performed by theprocessor to produce a computer-implemented process such that theinstructions, which execute on the processor to provide steps forimplementing the actions specified in the flowchart block or blocks. Thecomputer program instructions may also cause at least some of theoperational steps shown in the blocks of the flowcharts to be performedin parallel. Moreover, some of the steps may also be performed acrossmore than one processor, such as might arise in a multi-processorcomputer system. In addition, one or more blocks or combinations ofblocks in the flowchart illustration may also be performed concurrentlywith other blocks or combinations of blocks, or even in a differentsequence than illustrated without departing from the scope or spirit ofthe invention.

Additionally, in one or more steps or blocks, may be implemented usingembedded logic hardware, such as, an Application Specific IntegratedCircuit (ASIC), Field Programmable Gate Array (FPGA), Programmable ArrayLogic (PAL), or the like, or combination thereof, instead of a computerprogram. The embedded logic hardware may directly execute embedded logicto perform actions some or all of the actions in the one or more stepsor blocks. Also, in one or more embodiments (not shown in the figures),some or all of the actions of one or more of the steps or blocks may beperformed by a hardware microcontroller instead of a CPU. In at leastone embodiment, the microcontroller may directly execute its ownembedded logic to perform actions and access its own internal memory andits own external Input and Output Interfaces (e.g., hardware pins and/orwireless transceivers) to perform actions, such as System On a Chip(SOC), or the like.

Illustrative Logical System Architecture

FIG. 13 shows a logical architecture of networked environment 1300 thatis in accordance with at least one of the various embodiments. In atleast one of the various embodiments, business network 1301 is coupledto a plurality of operations computer 1302 a-1302 d (four shown,collectively 1302) via a plurality of industrial security applicationcomputers (ISAs) 1303 a-1303 e (five shown, collectively 1303). ISAs1303 may be coupled directly to the business network 1301, or wirelesslyvia a wireless connection port 1304. Each of the operations computers1302 may be coupled directly or wirelessly to one or more industrialcomputers 1306 a-1306 b (two shown, collectively 1306), such as, forexample, an automated manufacturing machine or tooling (e.g.,numerically controlled machinery) that processes a product. The ISAs1303 communicate with one another via a private network 1307. A remoteuser (e.g., a remote engineer) 1308 may connect to the private network1307 via a remote access wireless communication path 1309. In at leastone of the various embodiments, management platform computer 1310 and anassociated, such as, user station 1311 may be coupled to businessnetwork 1301.

In at least one of the various embodiments, management platform computer1310, ISAs 1303, and user station 1311 may be, for example one or morenetwork computers, such as, network computer 1200 or one or more clientcomputers, such as, client computer 1100. ISAs 1303 can be introducedinto networked environment 1300 as protective devices, each ISA 1303associated with, and coupled to, a particular operations computer 1302.ISAs 1303 can be provider edge (PE) devices/computers that providedynamic, secure connectivity among operations computers 1302, andbetween operations computers 1302 and business network 1301. In at leastone of the various embodiments, ISAs can be physical computers or theycan be implemented as virtualized computers. A virtual ISA mayconstitute software that may perform the same or similar functions as acorresponding processor-based computer. The software implementing avirtual ISA can be hosted on a system or a device that is not otherwisededicated to providing secured networked communications, e.g., a localdevice, a remote device, client computer, network computer, or a serverin a cloud-based computing environment. As described above ISAs may alsobe referred to as gateway computers that may be employed to isolate thephysical network from nodes, such as industrial computers andworkstations.

In at least one of the various embodiments, private network 1307 may bea virtual network—a logical construct (shown as a dotted line in FIG.13)—that may be overlaid onto an existing physical infrastructure thatincludes existing business network 1301 and the existing operationscomputers 1302. Further, in at least one of the various embodiments,private network 1307 may be a virtual private LAN service (VPLS) thatconnects physically separate LAN segments (e.g., the business networkand the industrial network) into a single logical LAN segment. However,the private network provides an isolated environment that is segmentedfrom the business network. Private network 1307 may be configured as adynamic mesh network. The term “full mesh” refers to a mesh networktopology in which every node is coupled to every other node. A dynamicmesh network is a policy-constrained mesh in which each communicateswith only certain other designated nodes. Segments of private network1307 may be enabled or disabled by management platform computer 1310, inresponse to mesh policy decisions received from a user via user station1311.

In at least one of the various embodiments, DHCP server 1312 may becoupled to business network 1301 to administer connecting variouscorporate devices to business network 1301. Communications traffic 1324a-1324 b on the business network side of communications environment 1300can be HTTP Web traffic which is encrypted. However, communicationstraffic 1324 c to and from DHCP server 1312 may be non-encrypted.Communications traffic 1326 between ISAs 1303 coupled to the privateoverlay network may be encrypted. For enhanced security, management ofconnections to the private network may be administered in a secure,distributed fashion by ISAs 1303.

Operations computers 1302 may take various forms. For example, theoperations computers 1302 may be industrial equipment controllers thatcontrol processing equipment 1306 a in a manufacturing operation.Additionally or alternatively, operations computers 1302 may bedistributed utility devices for controlling utilities 1306 b (e.g.,factory utilities, municipal water systems, power systems, energydelivery systems, and the like). Alternatively, operations computers1302 may be controllers or workstations for operating medical equipment(e.g., medical imaging equipment) in a medical facility. Alternatively,operations computers 1302 can themselves be networks of operationalequipment, for example, networks located at different manufacturingsites that are part of the same business or corporation. Alternatively,operations computer 1302 can be workstations or servers in anoffice-based operation.

In at least one of the various embodiments, each operations device 1302may be logically or otherwise associated with one or more industrialdevices, such as, industrial devices 1306. Operations computer 1302 canbe processor-based customer edge (CE) devices that may take any of alarge variety of forms, including but not limited to personal computers(e.g., client computers, network computers, desktop computers, laptopcomputers, notebook computers, tablet computers, smart phones,workstation computers, and/or mainframe computers, and the like.) Atleast operations computers 1302, ISAs 1303, and management platformcomputer 1310 may be capable of communication, for example via one ormore networks 1307, (e.g., Wide Area Networks, Local Area Networks, orpacket switched communications networks such as the Internet, WorldwideWeb portion of the Internet, extranets, intranets, and/or various othertypes of telecommunications networks such as cellular phone and datanetworks, and plain old telephone system (POTS) networks. See, also,wireless network 1008, network 1010 in FIG. 10. One or morecommunications interface devices may provide communications betweenoperations computers 1302 and network(s) 1307, 1301. The communicationsinterface devices may take any of a wide variety of forms, includingmodems (e.g., DSL modem, cable modem), routers, network switches, and/orbridges, etc. The communications interface devices can be built into theoperations devices or, if separate from operations computers 1302, cancommunicate with the operations computers 1302 using a wiredcommunication channel, a wireless communication channel, or combinationsthereof. The operations computers 1302 may be coupled to an industrialnetwork.

In at least one of the various embodiments, operations computers 1302,ISAs 1303, and management platform computer 1310 include at least onenon-transitory processor-readable storage medium (e.g., hard drive,RFID, RAM). The storage medium stores instructions for causing theassociated device to perform various functions as described below.

In many implementations the non-transitory processor-readable storagemedium may constitute a plurality of non-transitory storage media. Theplurality of non-transitory storage media may be commonly located at acommon location, or distributed at a variety of remote locations.Databases may be implemented in one, or across more than one,non-transitory computer- or processor-readable storage media. Suchdatabase(s) may be stored separately from one another on separatenon-transitory processor-readable storage medium or may be stored on thesame non-transitory processor-readable storage medium as one another.The non-transitory processor-readable storage medium may be co-locatedwith management platform computer 1310, for example, in the same room,building or facility. Alternatively, the non-transitoryprocessor-readable storage medium may be located remotely frommanagement platform 1310, for example in a different facility, city,state or country. Electronic or digital information, files or records orother collections of information may be stored at specific locations innon-transitory processor-readable media, thus are logically addressableportions of such media, which may or may not be contiguous.

Networked environment 1300 shown in FIG. 13 is representative. Typicalnetworked environments may include additional, or fewer, computersystems and entities than illustrated in FIG. 13.

Furthermore, in at least one of the various embodiments, client computer1100 or network computer 1100 is arranged to include one or more sensorsfor determining geolocation information (e.g., GPS), monitoringelectrical power conditions (e.g., voltage sensors, current sensors,frequency sensors, and so on), monitoring weather (e.g., thermostats,barometers, anemometers, humidity detectors, precipitation scales, orthe like), or the like.

For example, in at least one embodiment, geolocation information (suchas latitude and longitude coordinates, or the like) is collected by ahardware GPS sensor and subsequently employed in theidentification/determination of the one or more management platformservers, ISAs, gateway computers, or the like, may be used to establishsecure private networks and network paths. Similarly, in at least oneembodiment, weather information (such as temperature, atmosphericpressure, wind speed, humidity, or the like) is collected by a hardwareweather sensor and subsequently employed in theidentification/determination of the one or more management platformservers, ISAs, gateway computers, or the like, may be used to establishsecure private networks and network paths. Additionally, in at least oneembodiment, electrical power information (such as voltage, current,frequency, or the like) is collected by a hardware electrical powersensor and subsequently employed in the identification/determination ofthe one or more management platform servers, ISAs, gateway computers, orthe like, may be used to establish secure private networks and networkpaths.

Generalized Operations

FIG. 14 represents the generalized operation of performing actions viadevices that establish a secure private network in accordance with atleast one of the various embodiments. In at least one of the variousembodiments, process 1400 described in conjunction with FIG. 14 may beimplemented by and/or executed on a management platform server computer,an industrial security computer, a gateway computer, a network computer,or the like, such as, network computer 1200 of FIG. 12. In otherembodiments, these processes, or portions thereof, may be implemented byand/or executed on a plurality of network computers. In yet otherembodiments, these processes, or portions thereof, may be implemented byand/or executed on one or more virtualized computers, such as, those ina cloud-based environment. However, embodiments are not so limited andvarious combinations of network computers, client computers, or the likemay be utilized. Further, in at least one of the various embodiments,the process described in conjunction with FIG. 14 may be used forperforming actions via devices that establish a secure private networkin accordance with at least one of the various embodiments and/orarchitectures such as those described in conjunction with FIGS. 1-13.Further, in at least one of the various embodiments, some or all of theactions performed by process 1400 may be executed in part byauthentication system 450, SCMP 120, management platform application1124, and network routing application 1226, or the like, or combinationthereof.

FIG. 14 illustrates an overview flowchart of process 1400 for performingactions via devices that establish a secure private network inaccordance with at least one of the various embodiments. After a startblock, at block 1402, in at least one of the various embodiments, agateway computer may intercept one or more communications from anunauthenticated source node computer. In at least one of the variousembodiments, a gateway computer, including industrial securityapplications, may be arranged to automatically intercept some or all ofthe communications from one or more source node computers. At block1404, in at least one of the various embodiments, the gateway computermay generate a request for credentials and provide it to theunauthenticated source node computer.

As described above, the gateway computer may generate a request forcredentials from unauthenticated source computers that may have providedintercepted communications. In some cases, the source node computer maybe expressly requesting to be authenticated. In other cases, the sourcenode computer may be directing a communication to a target node computerin the secure private network. In either cases, the gateway computer mayintercept the communication and provide a request for authenticationcredentials to the requesting unauthenticated source node.

At block 1406, in at least one of the various embodiments, the gatewaycomputer may provide the credentials from the unauthenticated sourcenode computer along with the intercepted communication to a managementplatform server computer.

At block 1408, in at least one of the various embodiments, a managementplatform server computer may authenticate the source node and/or thecommunication based on the credentials and the interceptedcommunication. In at least one of the various embodiments,authentication may take at least two steps. In one step the managementplatform server computer may authenticate the credentials. In at leastone of the various embodiments, in another step the management platformserver computer may validate that the type of communication and/orcommunication request is authorized for the set of providedauthentication credentials. Also, in at least one of the variousembodiments, the management platform server may validate that thecredentials enable the source node computer to access the requestedtarget node computer.

At decision block 1410, in at least one of the various embodiments, ifthe unauthenticated source node computer is authenticated, control mayflow to block 1412; otherwise, control may be flow to block 1418. In atleast one of the various embodiments, if the authentication credentialsfail to be validated and authenticated, the communication may berejected. Likewise, in at least one of the various embodiments, if therequest or communication exceeds the authorization level associated withthe credentials, the communication may be rejected.

At block 1412, in at least one of the various embodiments, themanagement platform server may determine a target gateway computer basedon the intercepted communication and the target node. In at least one ofthe various embodiments, the communication may include networkinformation such as source network address and destination networkaddress that may be used to determine the target node computer.Likewise, the target node computer may be coupled to a particulargateway computer (referred to as a target gateway computer).

In at least one of the various embodiments, the management platformserver computer may have access to network configuration informationthat indicates which node computers are associated with which gatewaycomputer. Accordingly, the management platform server may employ thisinformation to identify the target gateway computer that may beassociated with the target node computer.

In at least one of the various embodiments, the management platformserver may determine the target gateway computer and/or a network pathto the target gateway computer based on one or more characteristics ofthe network. In at least one of the various embodiments, suchcharacteristics may include, current performance of the secure privatenetwork, expected performance of the secure private network, performanceof node computers on the secure private network, performance andcapabilities of equipment coupled to one or more node computers on thesecure private network, or the like, or combination thereof.

In at least one of the various embodiments, the communication mayinclude information that should be sent to perform a particular taskrather than an address to a particular target node. Or, in at least oneof the various embodiments, the communication may identify a class orcategory of target nodes rather than a specific target node computer.Accordingly, in at least one of the various embodiments, the managementplatform server may be arranged to determine the specific target nodecomputer from those node computers that meet the criterion expressed inthe communication from the source node computer.

In at least one of the various embodiments, the particular target nodecomputer may be selected based on one or more capabilities and/orfeatures of the node. For example, in at least one of the variousembodiments, in an automated industrial paint shop the communication maybe a request to paint a product or component, the request may include aparticular color, paint type, or the like. In this example, themanagement platform server may determine the target gateway based on itsbeing coupled to the paint machine that is loaded with the correct colorpaint or paint type.

In other embodiments, capability characteristics, such as, types offasteners, nails, staples, glue, and so on, available at a workstation(e.g., industrial robot) may be considered by the management platformserver when determine a target gateway computer and/or target nodecomputer.

In at least one of the various embodiments, other capabilitycharacteristics, such as, speed/cycle-rate, size, capacity, physicallocation, temperature, maintenance history, engineering tolerances, orthe like, or combination thereof may be used to determine the targetgateway computer and/or the target node computer.

At block 1414, in at least one of the various embodiments, themanagement platform server may generate configuration information for asecure private network connection and provide it to the gateway computerand the target gateway computer. In at least one of the variousembodiments, the configuration information may include sufficientinformation for the gateway computer to communication with thedetermined target gateway computer.

At block 1416, in at least one of the various embodiments, a secureprivate network connection may be made between the authenticated sourcenode and the target node. In at least one of the various embodiments,the gateway computer along with the target gateway computer may employthe configuration information provided by the management platform serverto establish a connection over the mesh network, secure private network,or the like, to enable secure communication between the source nodecomputer and the target node computer. At block 1418, in at least one ofthe various embodiments, since the source node is not authenticated, theintercepted communication may be discarded or otherwise ignored. Next,control may be returned to a calling process.

What is claimed as new and desired to be protected by Letters Patent ofthe United States is:
 1. A method for managing secure communication overa network, wherein execution of logic by a gateway computer performsactions, comprising: intercepting a communication from anunauthenticated source node computer, wherein the communication isdirected at a target node computer; when the unauthenticated nodecomputer provides its credentials in response to a request forcredentials from the gateway computer, providing the credentials and theintercepted communication to a management platform server that performsfurther actions, including: authenticating the unauthenticated sourcenode computer based on its credentials and the interceptedcommunication; determining a target gateway computer that corresponds tothe target node computer based on content of the interceptedcommunication; and providing configuration information for generating asecure private network connection between the gateway computer and thetarget gateway computer; and establishing the secure private networkconnection to the target gateway computer based on the configurationinformation; and securely sending the intercepted communication to thetarget gateway computer over the secure private network connection,wherein the target gateway computer securely provides the interceptedcommunication to the target node computer.
 2. The method of claim 1,wherein the management platform server performs further actionscomprising: pairing the gateway computer with one or more other gatewaycomputers; generating a unique identifier for the gateway computer and aseparate unique identifier for each of the other gateway computers;generating a single shared identifier and associating it with thegateway computer and the one or more other gateway computers; modifyingthe configuration information for the secure private network connectionbased on the unique identifier for the gateway computer and the separateunique identifiers for each of the other gateway computers; and when thegateway computer fails, determining one of the one or more other gatewaycomputers to replace operation of the gateway computer based on at leastthe shared identifier.
 3. The method of claim 1, further comprising:generating instructions for a user-interface that enables a user toenter the credentials; and providing the instructions to theunauthenticated source node computer.
 4. The method of claim 1, whereindetermining the target gateway computer, further comprises, furtherdetermining the target gateway computer based on one or more rule-basedpolicies.
 5. The method claim 1, further comprising: intercepting allcommunication originating outside the network; and generating requestsfor credentials based on one or more types of each interceptedcommunication.
 6. The method of claim 1, wherein the configurationinformation for generating the secure private network connection,further comprises, one or more of, routing tables or firewallinformation that enables the gateway computer to access the secureprivate connection and communicate with the target gateway computer. 7.The method of claim 1, wherein generating the configuration informationfor the secure private network connection, further comprises,determining contents of the configuration information based on one ormore secure private network characteristics, including one or more of,current performance of the secure private network, expected performanceof the secure private network, performance of node computers on thesecure private network, or performance and capabilities of equipmentcoupled to one or more node computers on the secure private network. 8.A system for managing secure communication over a network, comprising: agateway computer, comprising: a transceiver that communicates over thenetwork; a memory that stores at least instructions; and a processordevice that executes instructions that perform actions, including:intercepting a communication from an unauthenticated source nodecomputer, wherein the communication is directed at a target nodecomputer; when the unauthenticated node computer provides itscredentials in response to a request for credentials from the gatewaycomputer, providing the credentials and the intercepted communication toa management platform server computer; establishing a secure privatenetwork connection to the target gateway computer based on configurationinformation provided by the management platform server computer; andsecurely sending the intercepted communication to the target gatewaycomputer over the secure private network connection, wherein the targetgateway computer securely provides the intercepted communication to thetarget node computer; and the management platform server computer,comprising: a transceiver that communicates over the network; a memorythat stores at least instructions; and a processor device that executesinstructions that perform actions, including: authenticating theunauthenticated source node computer based on its credentials and theintercepted communication that are provided by the gateway computer;determining the target gateway computer that corresponds to the targetnode computer based on content of the intercepted communication; andproviding the configuration information for generating the secureprivate network connection between the gateway computer and the targetgateway computer to the gateway computer and the target gatewaycomputer.
 9. The system of claim 8, wherein the management platformserver computer performs further actions comprising: pairing the gatewaycomputer with one or more other gateway computers; generating a uniqueidentifier for the gateway computer and a separate unique identifier foreach of the other gateway computers; generating a single sharedidentifier and associating it with the gateway computer and the one ormore other gateway computers; modifying the configuration informationfor the secure private network connection based on the unique identifierfor the gateway computer and the separate unique identifiers for each ofthe other gateway computers; and when the gateway computer fails,determining one of the one or more other gateway computers to replaceoperation of the gateway computer based on at least the sharedidentifier.
 10. The system of claim 8, wherein the gateway computerprocessor device executes instructions that perform actions furthercomprising: generating instructions for a user-interface that enables auser to enter the credentials; and providing the instructions to theunauthenticated source node computer.
 11. The system of claim 8, whereindetermining the target gateway computer, further comprises, furtherdetermining the target gateway computer based on one or more rule-basedpolicies.
 12. The system of claim 8, wherein the gateway computerprocessor device executes instructions that perform actions furthercomprising: intercepting all communication originating outside thenetwork; and generating requests for credentials based on one or moretypes of each intercepted communication.
 13. The system of claim 8,wherein the configuration information for generating the secure privatenetwork connection, further comprises, one or more of, routing tables orfirewall information that enables the gateway computer to access thesecure private connection and communicate with the target gatewaycomputer.
 14. The system of claim 8, wherein generating theconfiguration information for the secure private network connection,further comprises, determining contents of the configuration informationbased on one or more secure private network characteristics, includingone or more of, current performance of the secure private network,expected performance of the secure private network, performance of nodecomputers on the secure private network, or performance and capabilitiesof equipment coupled to one or more node computers on the secure privatenetwork.
 15. A processor readable non-transitory storage media thatincludes instructions for managing secure communication over a network,wherein execution of the instructions by a gateway computer processordevice performs actions, comprising: intercepting a communication froman unauthenticated source node computer, wherein the communication isdirected at a target node computer; when the unauthenticated nodecomputer provides its credentials in response to a request forcredentials from the gateway computer, providing the credentials and theintercepted communication to a management platform server that performsfurther actions, including: authenticating the unauthenticated sourcenode computer based on its credentials and the interceptedcommunication; determining a target gateway computer that corresponds tothe target node computer based on content of the interceptedcommunication; and providing configuration information for generating asecure private network connection between the gateway computer and thetarget gateway computer; and establishing the secure private networkconnection to the target gateway computer based on the configurationinformation; and securely sending the intercepted communication to thetarget gateway computer over the secure private network connection,wherein the target gateway computer securely provides the interceptedcommunication to the target node computer.
 16. The media of claim 15,wherein the management platform server performs further actionscomprising: pairing the gateway computer with one or more other gatewaycomputers; generating a unique identifier for the gateway computer and aseparate unique identifier for each of the other gateway computers;generating a single shared identifier and associating it with thegateway computer and the one or more other gateway computers; modifyingthe configuration information for the secure private network connectionbased on the unique identifier for the gateway computer and the separateunique identifiers for each of the other gateway computers; and when thegateway computer fails, determining one of the one or more other gatewaycomputers to replace operation of the gateway computer based on at leastthe shared identifier.
 17. The media of claim 15, further comprising:generating instructions for a user-interface that enables a user toenter the credentials; and providing the instructions to theunauthenticated source node computer.
 18. The media of claim 15, whereindetermining the target gateway computer, further comprises, furtherdetermining the target gateway computer based on one or more rule-basedpolicies.
 19. The media of claim 15, further comprising: interceptingall communication originating outside the network; and generatingrequests for credentials based on one or more types of each interceptedcommunication.
 20. The media of claim 15, wherein the configurationinformation for generating the secure private network connection,further comprises, one or more of, routing tables or firewallinformation that enables the gateway computer to access the secureprivate connection and communicate with the target gateway computer. 21.The media of claim 15, wherein generating the configuration informationfor the secure private network connection, further comprises,determining contents of the configuration information based on one ormore secure private network characteristics, including one or more of,current performance of the secure private network, expected performanceof the secure private network, performance of node computers on thesecure private network, or performance and capabilities of equipmentcoupled to one or more node computers on the secure private network. 22.A gateway computer for managing secure communication over a network,comprising: a transceiver that communicates over the network; a memorythat stores at least instructions; and a processor device that executesinstructions that perform actions, including: intercepting acommunication from an unauthenticated source node computer, wherein thecommunication is directed at a target node computer; when theunauthenticated node computer provides its credentials in response to arequest for credentials from the gateway computer, providing thecredentials and the intercepted communication to a management platformserver that performs further actions, including: authenticating theunauthenticated source node computer based on its credentials and theintercepted communication; determining a target gateway computer thatcorresponds to the target node computer based on content of theintercepted communication; and providing configuration information forgenerating a secure private network connection between the gatewaycomputer and the target gateway computer; and establishing the secureprivate network connection to the target gateway computer based on theconfiguration information; and securely sending the interceptedcommunication to the target gateway computer over the secure privatenetwork connection, wherein the target gateway computer securelyprovides the intercepted communication to the target node computer. 23.The gateway computer of claim 22, wherein the management platform serverperforms further actions comprising: pairing the gateway computer withone or more other gateway computers; generating a unique identifier forthe gateway computer and a separate unique identifier for each of theother gateway computers; generating a single shared identifier andassociating it with the gateway computer and the one or more othergateway computers; modifying the configuration information for thesecure private network connection based on the unique identifier for thegateway computer and the separate unique identifiers for each of theother gateway computers; and when the gateway computer fails,determining one of the one or more other gateway computers to replaceoperation of the gateway computer based on at least the sharedidentifier.
 24. The gateway computer of claim 22, further comprising:generating instructions for a user-interface that enables a user toenter the credentials; and providing the instructions to theunauthenticated source node computer.
 25. The gateway computer of claim22, wherein determining the target gateway computer, further comprises,further determining the target gateway computer based on one or morerule-based policies.
 26. The gateway computer of claim 22, furthercomprising: intercepting all communication originating outside thenetwork; and generating requests for credentials based on one or moretypes of each intercepted communication.
 27. The gateway computer ofclaim 22, wherein the configuration information for generating thesecure private network connection, further comprises, one or more of,routing tables or firewall information that enables the gateway computerto access the secure private connection and communicate with the targetgateway computer.
 28. The gateway computer of claim 22, whereingenerating the configuration information for the secure private networkconnection, further comprises, determining contents of the configurationinformation based on one or more secure private network characteristics,including one or more of, current performance of the secure privatenetwork, expected performance of the secure private network, performanceof node computers on the secure private network, or performance andcapabilities of equipment coupled to one or more node computers on thesecure private network.